

<!DOCTYPE html>
<html lang="zh-CN" data-default-color-scheme=auto>



<head>
  <meta charset="UTF-8">
  <link rel="apple-touch-icon" sizes="76x76" href="/img/favicon.png">
  <link rel="icon" href="/img/favicon.png">
  <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=5.0, shrink-to-fit=no">
  <meta http-equiv="x-ua-compatible" content="ie=edge">
  
  <meta name="theme-color" content="#2f4154">
  <meta name="author" content="Fly542">
  <meta name="keywords" content="">
  
    <meta name="description" content="介绍ipset和iptables是两个独立的Linux内核组件，但它们可以协同工作，共同实现Linux系统上的网络安全功能。 ipset是iptables的扩展,它允许你创建 匹配整个地址集合的规则。而不像普通的iptables链只能单IP匹配,ip集合存储在带索引的数据结构中,这种结构即时集合比较大也可以进行高效的查找;除了一些常用的情况,比如阻止一些危险主机访问本机;从而减少系统资源占用或网络">
<meta property="og:type" content="article">
<meta property="og:title" content="ipset与iptables">
<meta property="og:url" content="http://fly542.cn/2023/04/11/04DevOps/25ipset%E4%B8%8Eiptables/index.html">
<meta property="og:site_name" content="Fly542 技术沉淀">
<meta property="og:description" content="介绍ipset和iptables是两个独立的Linux内核组件，但它们可以协同工作，共同实现Linux系统上的网络安全功能。 ipset是iptables的扩展,它允许你创建 匹配整个地址集合的规则。而不像普通的iptables链只能单IP匹配,ip集合存储在带索引的数据结构中,这种结构即时集合比较大也可以进行高效的查找;除了一些常用的情况,比如阻止一些危险主机访问本机;从而减少系统资源占用或网络">
<meta property="og:locale" content="zh_CN">
<meta property="article:published_time" content="2023-04-11T02:55:09.000Z">
<meta property="article:modified_time" content="2024-04-09T08:46:38.819Z">
<meta property="article:author" content="Fly542">
<meta property="article:tag" content="linux">
<meta name="twitter:card" content="summary_large_image">
  
  
  <title>ipset与iptables - Fly542 技术沉淀</title>

  <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@4/dist/css/bootstrap.min.css" />


  <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/github-markdown-css@4/github-markdown.min.css" />
  <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/hint.css@2/hint.min.css" />

  
    
    
      
      <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/highlight.js@10/styles/github-gist.min.css" />
    
  

  
    <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fancyapps/fancybox@3/dist/jquery.fancybox.min.css" />
  


<!-- 主题依赖的图标库，不要自行修改 -->

<link rel="stylesheet" href="//at.alicdn.com/t/font_1749284_ba1fz6golrf.css">



<link rel="stylesheet" href="//at.alicdn.com/t/font_1736178_lbnruvf0jn.css">


<link  rel="stylesheet" href="/css/main.css" />

<!-- 自定义样式保持在最底部 -->


  <script id="fluid-configs">
    var Fluid = window.Fluid || {};
    var CONFIG = {"hostname":"fly542.cn","root":"/","version":"1.8.14","typing":{"enable":true,"typeSpeed":70,"cursorChar":"_","loop":false},"anchorjs":{"enable":true,"element":"h1,h2,h3,h4,h5,h6","placement":"right","visible":"hover","icon":""},"progressbar":{"enable":true,"height_px":3,"color":"#29d","options":{"showSpinner":false,"trickleSpeed":100}},"copy_btn":true,"image_zoom":{"enable":true,"img_url_replace":["",""]},"toc":{"enable":true,"headingSelector":"h1,h2,h3,h4,h5,h6","collapseDepth":0},"lazyload":{"enable":true,"loading_img":"/img/loading.gif","onlypost":false,"offset_factor":2},"web_analytics":{"enable":false,"baidu":null,"google":null,"gtag":null,"tencent":{"sid":null,"cid":null},"woyaola":null,"cnzz":null,"leancloud":{"app_id":null,"app_key":null,"server_url":null,"path":"window.location.pathname","ignore_local":false}},"search_path":"/local-search.xml"};
  </script>
  <script  src="/js/utils.js" ></script>
  <script  src="/js/color-schema.js" ></script>
<meta name="generator" content="Hexo 6.0.0"></head>


<body>
  <header style="height: 70vh;">
    <nav id="navbar" class="navbar fixed-top  navbar-expand-lg navbar-dark scrolling-navbar">
  <div class="container">
    <a class="navbar-brand" href="/">
      <strong>Fly542 技术沉淀</strong>
    </a>

    <button id="navbar-toggler-btn" class="navbar-toggler" type="button" data-toggle="collapse"
            data-target="#navbarSupportedContent"
            aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">
      <div class="animated-icon"><span></span><span></span><span></span></div>
    </button>

    <!-- Collapsible content -->
    <div class="collapse navbar-collapse" id="navbarSupportedContent">
      <ul class="navbar-nav ml-auto text-center">
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/">
                <i class="iconfont icon-home-fill"></i>
                首页
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/archives/">
                <i class="iconfont icon-archive-fill"></i>
                归档
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/categories/">
                <i class="iconfont icon-category-fill"></i>
                分类
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/tags/">
                <i class="iconfont icon-tags-fill"></i>
                标签
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/about/">
                <i class="iconfont icon-user-fill"></i>
                关于
              </a>
            </li>
          
        
        
          <li class="nav-item" id="search-btn">
            <a class="nav-link" target="_self" href="javascript:;" data-toggle="modal" data-target="#modalSearch" aria-label="Search">
              &nbsp;<i class="iconfont icon-search"></i>&nbsp;
            </a>
          </li>
        
        
          <li class="nav-item" id="color-toggle-btn">
            <a class="nav-link" target="_self" href="javascript:;" aria-label="Color Toggle">&nbsp;<i
                class="iconfont icon-dark" id="color-toggle-icon"></i>&nbsp;</a>
          </li>
        
      </ul>
    </div>
  </div>
</nav>

    <div class="banner" id="banner" parallax=true
         style="background: url('/img/default.png') no-repeat center center;
           background-size: cover;">
      <div class="full-bg-img">
        <div class="mask flex-center" style="background-color: rgba(0, 0, 0, 0.3)">
          <div class="page-header text-center fade-in-up">
            <span class="h2" id="subtitle" title="ipset与iptables">
              
            </span>

            
              <div class="mt-3">
  
  
    <span class="post-meta">
      <i class="iconfont icon-date-fill" aria-hidden="true"></i>
      <time datetime="2023-04-11 10:55" pubdate>
        2023年4月11日 上午
      </time>
    </span>
  
</div>

<div class="mt-1">
  
    <span class="post-meta mr-2">
      <i class="iconfont icon-chart"></i>
      2.2k 字
    </span>
  

  
    <span class="post-meta mr-2">
      <i class="iconfont icon-clock-fill"></i>
      
      
      19 分钟
    </span>
  

  
  
</div>

            
          </div>

          
        </div>
      </div>
    </div>
  </header>

  <main>
    
      

<div class="container-fluid nopadding-x">
  <div class="row nomargin-x">
    <div class="d-none d-lg-block col-lg-2"></div>
    <div class="col-lg-8 nopadding-x-md">
      <div class="container nopadding-x-md" id="board-ctn">
        <div class="py-5" id="board">
          <article class="post-content mx-auto">
            <!-- SEO header -->
            <h1 style="display: none">ipset与iptables</h1>
            
            <div class="markdown-body">
              <h1 id="介绍"><a href="#介绍" class="headerlink" title="介绍"></a>介绍</h1><p>ipset和iptables是两个独立的Linux内核组件，但它们可以协同工作，共同实现Linux系统上的网络安全功能。</p>
<p>ipset是iptables的扩展,它允许你创建 匹配整个地址集合的规则。而不像普通的iptables链只能单IP匹配,ip集合存储在带索引的数据结构中,这种结构即时集合比较大也可以进行高效的查找;除了一些常用的情况,比如阻止一些危险主机访问本机;从而减少系统资源占用或网络拥塞,IPsets也具备一些新防火墙设计方法,并简化了配置.官网:<a target="_blank" href="http://ipset.netfilter.org/" rel="nofollow noopener">http://ipset.netfilter.org/</a></p>
<p>具体来说，ipset是用于管理大规模IP地址集合的内核模块，可用于在Linux系统上创建、修改和删除多个IP地址集。而iptables是Linux上的一种防火墙框架，它允许管理员在网络数据包传输前、中、后的不同阶段对其进行过滤、修改、转发等操作。</p>
<p>ipset和iptables可以互相协作，使得iptables防火墙规则可以更高效地处理大规模的IP地址集合。通常情况下，iptables规则是基于多个IP地址进行拦截和过滤，而当IP地址的数量特别大时，使用iptables单独处理这些地址可能会导致性能问题。为了解决这个问题，管理员可以使用ipset来创建和管理大规模IP地址集合。然后，通过iptables规则，请参考指定这些IP集合，使管理员可以更加高效、简洁的定义规则。</p>
<p>使用ipset与iptables的组合可以实现比基于iptables的规则更高效、灵活的网络安全策略。</p>
<h1 id="ipset安装"><a href="#ipset安装" class="headerlink" title="ipset安装"></a>ipset安装</h1><figure class="highlight awk"><table><tr><td class="gutter"><div class="code-wrapper"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></div></td><td class="code"><pre><code class="hljs awk">yum安装： yum install ipset <br>源代码安装：进官网下载ipset-<span class="hljs-number">6.30</span>.tar.bz2 <br>yum -y install libmnl-devel libmnl tar -jxvf ipset-<span class="hljs-number">6.30</span>.tar.bz2  &amp;&amp; cd ipset-<span class="hljs-number">6.30</span> &amp;&amp; .<span class="hljs-regexp">/configure --prefix=/u</span>sr<span class="hljs-regexp">/local/i</span>pset &amp;&amp; make &amp;&amp; make install<br>完成安装<br></code></pre></td></tr></table></figure>

<h1 id="ipset使用"><a href="#ipset使用" class="headerlink" title="ipset使用"></a>ipset使用</h1><figure class="highlight vala"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><code class="hljs vala"><span class="hljs-meta"># 显示当前ipset的内容</span><br>ipset --list<br><br><span class="hljs-meta"># 创建节点数据为ipv6，存储类型为hash:net的名为test_whb_v6集合</span><br>ipset create test_whb_v6 hash:net family inet6<br><br><span class="hljs-meta"># 创建节点数据为ipv4,存储类型为基于hash表专门存储ip的test_whb集合</span><br>ipset create test_whb hash:ip<br><br><span class="hljs-meta"># 保存规则到ipset文件</span><br>ipset save<br><br></code></pre></td></tr></table></figure>

<h2 id="ipset-del使用"><a href="#ipset-del使用" class="headerlink" title="ipset del使用"></a>ipset del使用</h2><figure class="highlight css"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><code class="hljs css">ipset <span class="hljs-selector-tag">del</span>删除规则时，必须重启iptables服务才会生效<br><br>ipset <span class="hljs-selector-tag">del</span> jump_mysql <span class="hljs-number">111.206</span>.<span class="hljs-number">110.202</span> 重启iptables才能生效<br><br>ipset add 添加规则时，不用重启iptables 就会生效<br></code></pre></td></tr></table></figure>
<h2 id="ipset-flush"><a href="#ipset-flush" class="headerlink" title="ipset flush"></a>ipset flush</h2><p>清空所有ipset中的条目</p>
<h1 id="iptables规则文件"><a href="#iptables规则文件" class="headerlink" title="iptables规则文件"></a>iptables规则文件</h1><figure class="highlight asciidoc"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><code class="hljs asciidoc">[root@localhost ~]# cat /etc/sysconfig/iptables<br>#Generated by iptables-save v1.4.7 on Wed Jul 31 10:21:39 2019<br>*filter<br><span class="hljs-meta">:INPUT ACCEPT [0:0]</span><br><span class="hljs-meta">:FORWARD ACCEPT [0:0]</span><br><span class="hljs-meta">:OUTPUT ACCEPT [10988:6938377]</span><br>-A INPUT -s 118.32.234.103/32 -j DROP <br>-A INPUT -i lo -j ACCEPT <br>-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT <br>-A INPUT -p tcp -m multiport --dports 80,81,82,443 -m state --state NEW -j ACCEPT <br>-A INPUT -s 211.144.68.140/32 -p tcp -m multiport --dports 10050,3306 -j ACCEPT <br>-A INPUT -p tcp -m set --match-set zabbix<span class="hljs-emphasis">_server src -m tcp --dport 10050 -j ACCEPT </span><br><span class="hljs-emphasis">-A INPUT -p tcp -m set --match-set mysql_</span>server src -m tcp --dport 3306 -j ACCEPT <br>-A INPUT -p tcp -m multiport --dports 570,21,1038 -j ACCEPT <br>-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT <br>-A INPUT -j DROP <br>COMMIT<br></code></pre></td></tr></table></figure>

<h1 id="命令行添加iptables规则并保存"><a href="#命令行添加iptables规则并保存" class="headerlink" title="命令行添加iptables规则并保存"></a>命令行添加iptables规则并保存</h1><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs routeros">iptables -I INPUT -m <span class="hljs-builtin-name">set</span> --match-<span class="hljs-builtin-name">set</span> mysql_server src -p tcp -m multiport --dports 10050,3306 -j ACCEPT <br>iptables -I INPUT -m <span class="hljs-builtin-name">set</span> --match-<span class="hljs-builtin-name">set</span> rsync_server src -p tcp              --dport 873 -j ACCEPT<span class="hljs-built_in"></span><br><span class="hljs-built_in">service </span>iptables save<br>/etc/init.d/iptables save<br></code></pre></td></tr></table></figure>






            </div>
            <hr>
            <div>
              <div class="post-metas mb-3">
                
                  <div class="post-meta mr-3">
                    <i class="iconfont icon-category"></i>
                    
                      <a class="hover-with-bg" href="/categories/devops/">devops</a>
                    
                  </div>
                
                
                  <div class="post-meta">
                    <i class="iconfont icon-tags"></i>
                    
                      <a class="hover-with-bg" href="/tags/linux/">linux</a>
                    
                  </div>
                
              </div>
              
                <p class="note note-warning">
                  
                    本博客所有文章除特别声明外，均采用 <a target="_blank" href="https://creativecommons.org/licenses/by-sa/4.0/deed.zh" rel="nofollow noopener noopener">CC BY-SA 4.0 协议</a> ，转载请注明出处！
                  
                </p>
              
              
                <div class="post-prevnext">
                  <article class="post-prev col-6">
                    
                    
                      <a href="/2023/04/12/03%E8%BD%AF%E4%BB%B6%E5%BC%80%E5%8F%91/07%E5%BA%94%E7%94%A8%E8%BD%AF%E4%BB%B6/unbound%E6%BA%90%E7%A0%81%E4%BF%AE%E6%94%B9-%E9%85%8D%E7%BD%AE%E6%96%87%E4%BB%B6%E5%A2%9E%E5%8A%A0%E5%8F%98%E9%87%8F/">
                        <i class="iconfont icon-arrowleft"></i>
                        <span class="hidden-mobile">unbound源码修改---配置文件增加变量</span>
                        <span class="visible-mobile">上一篇</span>
                      </a>
                    
                  </article>
                  <article class="post-next col-6">
                    
                    
                      <a href="/2023/04/10/03%E8%BD%AF%E4%BB%B6%E5%BC%80%E5%8F%91/07%E5%BA%94%E7%94%A8%E8%BD%AF%E4%BB%B6/unbound%E6%BA%90%E7%A0%81%E5%88%86%E6%9E%90/">
                        <span class="hidden-mobile">unbound源码分析</span>
                        <span class="visible-mobile">下一篇</span>
                        <i class="iconfont icon-arrowright"></i>
                      </a>
                    
                  </article>
                </div>
              
            </div>

            
          </article>
        </div>
      </div>
    </div>
    
      <div class="d-none d-lg-block col-lg-2 toc-container" id="toc-ctn">
        <div id="toc">
  <p class="toc-header"><i class="iconfont icon-list"></i>&nbsp;目录</p>
  <div class="toc-body" id="toc-body"></div>
</div>

      </div>
    
  </div>
</div>

<!-- Custom -->


    

    
      <a id="scroll-top-button" aria-label="TOP" href="#" role="button">
        <i class="iconfont icon-arrowup" aria-hidden="true"></i>
      </a>
    

    
      <div class="modal fade" id="modalSearch" tabindex="-1" role="dialog" aria-labelledby="ModalLabel"
     aria-hidden="true">
  <div class="modal-dialog modal-dialog-scrollable modal-lg" role="document">
    <div class="modal-content">
      <div class="modal-header text-center">
        <h4 class="modal-title w-100 font-weight-bold">搜索</h4>
        <button type="button" id="local-search-close" class="close" data-dismiss="modal" aria-label="Close">
          <span aria-hidden="true">&times;</span>
        </button>
      </div>
      <div class="modal-body mx-3">
        <div class="md-form mb-5">
          <input type="text" id="local-search-input" class="form-control validate">
          <label data-error="x" data-success="v"
                 for="local-search-input">关键词</label>
        </div>
        <div class="list-group" id="local-search-result"></div>
      </div>
    </div>
  </div>
</div>
    

    
  </main>

  <footer class="text-center mt-5 py-3">
  <div class="footer-content">
     <a href="https://hexo.io" target="_blank" rel="nofollow noopener"><span>Hexo</span></a> <i class="iconfont icon-love"></i> <a href="https://github.com/fluid-dev/hexo-theme-fluid" target="_blank" rel="nofollow noopener"><span>Fluid</span></a> 
  </div>
  

  

  
</footer>


  <!-- SCRIPTS -->
  
  <script  src="https://cdn.jsdelivr.net/npm/nprogress@0/nprogress.min.js" ></script>
  <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/nprogress@0/nprogress.min.css" />

  <script>
    NProgress.configure({"showSpinner":false,"trickleSpeed":100})
    NProgress.start()
    window.addEventListener('load', function() {
      NProgress.done();
    })
  </script>


<script  src="https://cdn.jsdelivr.net/npm/jquery@3/dist/jquery.min.js" ></script>
<script  src="https://cdn.jsdelivr.net/npm/bootstrap@4/dist/js/bootstrap.min.js" ></script>
<script  src="/js/events.js" ></script>
<script  src="/js/plugins.js" ></script>

<!-- Plugins -->


  <script  src="/js/local-search.js" ></script>



  
    <script  src="/js/img-lazyload.js" ></script>
  



  



  
    <script  src="https://cdn.jsdelivr.net/npm/tocbot@4/dist/tocbot.min.js" ></script>
  
  
    <script  src="https://cdn.jsdelivr.net/npm/@fancyapps/fancybox@3/dist/jquery.fancybox.min.js" ></script>
  
  
    <script  src="https://cdn.jsdelivr.net/npm/anchor-js@4/anchor.min.js" ></script>
  
  
    <script defer src="https://cdn.jsdelivr.net/npm/clipboard@2/dist/clipboard.min.js" ></script>
  






  <script  src="https://cdn.jsdelivr.net/npm/typed.js@2/lib/typed.min.js" ></script>
  <script>
    (function (window, document) {
      var typing = Fluid.plugins.typing;
      var title = document.getElementById('subtitle').title;
      
        typing(title);
      
    })(window, document);
  </script>















<!-- 主题的启动项 保持在最底部 -->
<script  src="/js/boot.js" ></script>


</body>
</html>
